Update: The CTF has now ended. Thanks for playing! We'll have another follow-up post here soon.

The hardest part of writing secure code is learning to think like
an attacker. For example, every programmer is told to watch out for
SQL injections, but it's hard to appreciate just how exploitable they
are until you've written a SQL injection of your own.

We built Stripe Capture the Flag, a security wargame inspired by
SmashTheStack's IO, to
help the community (as well our team!) practice identifying and
exploiting common security problems.

After completing our CTF, you
should have a greatly improved understanding of how attackers will try
to break your code (and hopefully will have fun in the process!).

You can begin Stripe's CTF challenge by running ssh
level01@ctf.stri.pe from your shell and entering the
password e9gx26YEb2.

Your goal is to read the contents of
/home/level02/.password. In /levels/level01, you'll find
a setuid binary owned by level02 (as well as its source code)
— you will probably find it useful.

Once you have the password, you can ssh in as level02. There are
six levels in all; once you've logged in as level06 your goal is to
read the password from /home/the-flag/.password.

If you've successfully captured the flag, let us know at ctf@stripe.com! We'll send a
special-edition Stripe CTF T-shirt to anyone who successfully captures
the flag. Include the following information in your email: